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Abstract. In Europe and North America, the most widely used stream cipher to 
ensure privacy and confidentiality of conversations in GSM mobile phones is the A5/1. 
In this paper, we present a new attack on the A5/1 stream cipher with an average time 
complexity of 2 48 5 , which is much less than the brute-force attack with a complexity 
of 2 64 . The attack has a 100% success rate and requires about 5.65GB storage. We 
provide a detailed description of our new attack along with its implementation and 
results. 
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1 Introduction 

The most widely used stream cipher to ensure privacy and confidentiality of conversations 
in GSM mobile phones in Europe and North America is the A5/1. The A5/1 was developed 
in 1987, then GSM was not considered for use outside Europe. The description of the A5/1 
was initially kept secret, but its design was disclosed in 1999 by reverse engineering [6]. The 
GSM organization later confirmed the correctness of the algorithm [5] . 

There are multiple versions of the encryption algorithm which belong to the A5 family: 
A5/0 is a dummy cipher with no encryption; A5/1 is the original A5 algorithm ensures over- 
the-air communication privacy and confidentiality of conversations in GSM mobile phones; 
A 5/2 is an intentionally weaker encryption algorithm created for export; while ^45/3 is 
a strong encryption algorithm created as part of the 3rd Generation Partnership Project 
(3 GPP) which is currently responsible for maintaining and developing GSM technical spec- 
ifications around the world [12]. 

Anderson [1], Golic [11] and Babbage [2] were the pioneers in cryptanalyzing the A5/1 
encryption algorithm when only a rough outline of the A5/1 was leaked. After A5/1 was 
reverse engineered, it was analyzed by Biryukov, Shamir and Wagner [5]; Biham and Dunkcl- 
man [4]; Ekdahl and Johansson [8]; Maximov, Johansson and Babbage [15]; Barkan and 
Biham [3]; Keller and Seitz [13]; and a few other researchers. 

1.1 Current Research 

Several attacks on the A5/1 stream cipher were designed in the past twenty years, but 
only a few of those were implemented. Attacks on the GSM protocol can work even if the 
network supports only A5/1 or A5/3 encryption, as long as the mobile phone supports 
A5/2 encryption. The main flaw that allows the implementation of these attacks is that 



the same key is used regardless of whether the phone encrypts using A5/1, A5/2, or A5/3 
algorithm. Therefore, the attacker can mount a man-in-the-middle attack, in which the 
attacker impersonates the mobile to the network, and the network to the mobile (by using 
a fake base station). The attacker might use A 5/1 for communication with the network and 
A5/2 for communication with the mobile. But due to the flaw, both algorithms encrypt 
using the same key. The attacker can obtain the key through a passive attack on A5/2. The 
attacker who is in the middle can eavesdrop, change the conversation, perform call theft, 
etc. The attack applies to all traffic including short message service (SMS) [3]. 



1.2 Our Contributions 

In this paper we describe a new guess- and- determine attack on the A5/1 stream cipher. This 
attack has an average time complexity of 2 48 5 , which is much less than a brute-force attack 
of 2 64 . For every possible 19 bits of the register R\, we require storage of 100MB to determine 
registers R% and i?3 given a known keystream KS. Our attack can be briefly described as 
follows: we assume that the register Ri is full with 19 bits and registers i?2 and i?3 will be 
filled progressively as the attack progresses. At any stage of this attack, i?i is completely 
filled and i?2 and R3 are partially filled. We call these states as state candidates. Once 
all three registers are completely filled, we call that state candidate a complete state 
candidate. This attack has a 100% success rate and requires about 5.65GB storage. With 
the knowledge of only 11 bits of the known keystream, the attack algorithm is able to 
determine a set of 64-bit complete state candidates which may contain the key. With every 
additional clocking round of the attack, the number of complete state candidates increases. 
Thus, the probability of finding the key among all the complete state candidates increases 
with every additional round after 11 clocking rounds. We provide a detailed description of 
our new attack along with its implementation and results in Sections 4, 5 and 6. 



2 Description of the A 5/1 Stream Cipher 
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Fig. 1. A5/1 Stream Cipher 



The A 5/1 stream cipher is built from three short linear feedback shift registers (LFSRs) 
of lengths 19, 22, and 23 bits, denoted by Ri, R 2 and R 3 respectively. The rightmost bit in 
each register is labeled as bit zero. The tapping bits of i?i are at bit positions 13, 16, 17, 
18; the tapping bits of R2 are at bit positions 20, 21; and the tapping bits of R 3 are at bit 
positions 7, 20, 21, 22 (Tabic 1). 

Table 1. The A5/1 Register Parameters 



Register Register Length Clocking Bit Primitive Polynomials Tapping Bits 



Ri 


19 bits 


8 


1 + x + x 2 + x b + x w 


18, 17, 16, 13 


R2 


22 bits 


10 


1 + x + x 22 


21, 20 


R 3 


23 bits 


10 


1 + x + x 2 + x 15 + x 23 


22, 21, 20, 7 



The tapping bits are predetermined according to the corresponding primitive polynomials 
for the registers. A polynomial of degree n over the finite field GF(2) (i.e., with coefficients 
either or 1) is primitive if it has polynomial order 2™ — 1. For each register, when the register 
is clocked, its tapping bits are XORed together and the result is stored in the rightmost bit of 
the left-shifted register. The three registers are maximal length LFSRs with periods 2 19 — 1, 
2 22 - 1, and 2 23 - 1 respectively [14]. 

The A5/1 keystream generator works as follows [6]. First, an initialization phase is run. 
At the start of this phase, all bits of the registers are set to 0. Then the key setup and 
the Initialization Vector (IV) setup are performed. During the initialization phase, all three 
registers are clocked and the key bits followed by the IV bits are XORed with the most 
significant bits (MSBs) of all three registers. Thus, the initialization phase takes an overall 
of 64 + 22 = 86 clock-cycles after which initial state Si is achieved. 

Based on this initial state Si, a warm-up phase is performed where the generator is 
clocked for 100 clock-cycles and the output is discarded. This results directly in state S w 
producing the first output bit 101 clock-cycles after the initialization phase. During the 
warm-up phase and the stream generation phase, the registers R\, R 2 , and R3 are clocked 
irregularly according to the majority function rule [7] depending on the clocking bits (CBs) 
of the registers. The majority function is a function from n inputs to one output. The value 
of the operation is true when at least | arguments are true, and false otherwise. 

The registers are clocked in a stop/go fashion using the following majority rule: Each 
register has a single clocking bit (bit 8 for R\, bit 10 for R 2 , and bit 10 for R 3 ) which decides 
the clocking pattern for its respective register. In each clock cycle, the majority function of 
the clocking taps is calculated and only those registers whose CBs agree with the majority 
function are clocked. At each step either two or three registers are clocked, and that each 
register has a probability of moving 3 out of 4 times. It is this clocking pattern which makes 
the stream cipher generate output bits which arc random. 

During encryption, a total of four cases are possible for clocking pattern of the registers. 
They are: 



Case 1: CB X = CB 2 / CB 3 (Clock R l and R 2 only) 
Case 2: CB X £ CB 2 = CB 3 (Clock R 2 and R 3 only) 



Case 3: CB 1 = CB 3 ^ CB 2 (Clock R x and R 3 only) 
Case 4: CBi = CB 2 = CB 3 (Clock all three registers) 



where CBi denotes the clocking bit for register i; i = (1,2,3). 

After clocking, an output bit is generated from the values of R\, R 2 , and R 3 by XOR- 
ing their most significant bits (MSBs), as shown in Equation 1. This XORed bit is called 
the keystream bit (KS). 

i2i[18] ffi R 2 [21] 8 R 3 [22] = KS[i\, (1) 

where KS[i] denotes the i th keystream bit, i = on initialization and increases by 1 after 
every clocking round. 

After warm-up phase, the A5/1 produces 228 output bits. For every clock cycle, 114 bits 
are used to encrypt uplink traffic, while the remaining 114 bits are used to decrypt downlink 
traffic [9]. 

3 Known Attacks on the A 5/1 

Here we discuss the known guess- and- determine attacks on the A5/1. A guess-and-determine 
attack [16] is a known-plaintext attack on stream ciphers where the attacker guesses some 
bits of the cipher and the remaining bits are determined from the known keystream bits. 
The known plaintext attack is an attack model where the attacker has access to both the 
plaintext and its encrypted ciphcrtext. This can be used to reveal the secret key used for 
encrypting the known plaintext to the known ciphcrtext. These include Anderson's At- 
tack [1], Golic's Attack [11], Biham-Dunkclman's Attack [4], Keller-Seitz's Attack [13] and 
Gcndrullis-Novotny-Rupp's Attack (also known as the Modified Keller-Seitz Attack) [10]. 
All these attacks assume to have 64 bits of the keystream (KS) known. 

3.1 Guess-and-Determine Attacks 

The first guess-and-determine attack on the A5/1 was proposed by Anderson [1]. Anderson 
suggested to guess all bits of registers R\ and i? 2 and the lower half of register R 3 (i.e., 19 + 
22 + 11 = 52 bits), to determine the remaining bits of R 3 by Equation 1. In the worst-case, 
each of the 2 52 determined state candidates need to be verified against the known keystream. 
This attack was not implemented as Biham-Dunkclman's Attack and Keller-Seitz's Attack 
had lesser complexity. 

Golic proposed an attack that has a complexity of 2 40 linear equations sets [11]. He 
suggested to guess the lower half of all three registers and determine the remaining bits of 
the registers with the known keystream by Equation 1. However, each operation in this attack 
is much more complicated since it is based on the solutions of system of linear equations. 
In practice, this algorithm is not better than the Anderson's approach [1] or Keller-Seitz's 
[13] approach. In deriving the solution of the system of equations, we additionally require 
solving 44 linear equations by Gaussian Elimination method. This makes Golic's approach 
impractical to implement. 



Pornin and Stern [17] proposed a Software-Hardware trade off attack that is based on 
Golic's approach. But in contrast to Golic's approach, they guess the clocking sequence 
at the very beginning. The increased assumptions and complexity of the attacks make the 
actual implementation very difficult and impractical. 

The Biham-Dunkclman attack [4] is expected to be a thousand times faster than the 
Anderson's attack [4] or Keller-Seitz's attack [13]. The attack requires 2 47 A5/1 clockings and 
about 2 20 8 bits of plaintext data, which is equivalent to 2.36 minutes of conversation. The 
attacker guesses 12 bits (i.e., ^[(9, 18)] - i?i[13]), R 2 [0], R 3 [22] and i? 3 [10]), and determines 
the remaining bits of registers R\ and R 2 by Equation 1 and the known keystream bits. The 
attack algorithm assumes that register i? 3 is not clocked (i.e., Ri[8] = i?2[10] / i? 3 [10]) 
for 10 consecutive rounds. Such an event will occur once out of 2 20 possible cipher states. 
The attacker must know exactly the location of the information- leaking event where register 
i? 3 is unclocked for 10 consecutive rounds. This is a big assumption. Thus, the attacker 
will need to probe about 2 20 different starting locations by trial-and-error before the event 
actually occurs. Also, the probability that such an event, where register i? 3 is not clocked 
for consecutive 10 rounds occurs is close to zero. This attack requires a lot of data and 
precomputation space. Hence this attack is not practical for implementation. 

Keller and Seitz designed a new attack [13] based on the attack proposed by Anderson. 
But unlike Anderson, they took into account the asynchronous clocking of the A 5/1 stream 
cipher. According to their algorithm, the attacker guesses registers R\ and R 2 completely 
and determines all bits of register i? 3 by Equation 1. The attack was divided into two phases: 
a determination phase in which a possible state candidate consisting of the three registers 
of A5/1 after its warm-up phase [6] is generated, and a subsequent post-processing-phase in 
which the state candidate is checked for consistency. In the determination phase, the authors 
try to reduce the complexity of the simple guess- and- determine attack by early recognizing 
contradictions that could occur by guessing the clocking bit of Rs such that i? 3 will not be 
clocked. Hence, all states arising out of the contradictory guess neither need to be computed 
further on nor checked afterwards. The authors further reduce the complexity by not only 
discarding the incorrect possibilities for i? 3 [22] in case of contradiction, but also limit the 
number of choices to the one of not-clocking i? 3 , if this is possible without any contradiction. 
If a case arises where i?i[8] = i?2[10] and i? 3 [10] has to be guessed, then the authors suggest 
to always consider the case i?i[8] = i?2[10] = i? 3 [10] and clock register R 3 with register Ri 
and register R 2 . This leaves out the possible case of J?i[8] = #2 [10] 7^ i? 3 [10]. Thus, the 
success probability of this attack is approximately 18%, and the number of state candidates 
inspected by Keller and Seitz to the number of valid states is w 0.18. 

Gendrullis, Novotny and Rupp [10] (GNR) proposed a modification to the Keller-Seitz 
attack. Unlike Keller-Seitz [13], the authors only discard the wrong possibilities for the 
clocking bit of register i? 3 that would lead to a contradiction. But if no contradiction exists, 
they check all possibilities of the clocking bit of i? 3 , which means the case of clocking and 
not-clocking R 3 . Thus, every possible state candidate is taken into account, hence giving us 
a success probability of 100%. 

Besides Golic [11] and Babbage [2], Biryukov-Shamir- Wagner [5] (BSW) proposed an 
attack with a complexity of 2 48 requiring about 300GB storage, where the online phase of 
the attack can be executed within minutes with a 60% success probability. 



Barkan-Biham-Keller [3] also proposed another attack along these lines. However, in the 
precomputation phase of such an attack huge amounts of data need to be computed and 
stored. For example, with three minutes of ciphcrtext available, one needs to precomputc 
about 50 TB of data to achieve a success probability of about 60%. These are practical 
obstacles that make the implementation of such attacks very difficult. 

4 A New Attack on the A 5/1 

Our approach is based on the guess- and- determine attack proposed by Anderson [1], but 
with several modifications. With 64 bits of keystream (KS) known, all bits of register Ri 
are guessed (known) and all bits of registers R 2 and R 3 are determined. But unlike the ap- 
proaches of Anderson [1], Golic [11], Biham-Dunkelman [4] and Keller-Seitz [13], we consider 
all possible cases i.e., no case is discarded. At the end, we come up with about 2 48 5 possible 
state candidates, which is much smaller than the exhaustive search where we have 2 64 state 
candidates. Hence this attack is better than the exhaustive search approach. 

The attack consists of two phases, the determination phase and the post-processing-phase. 
The determination phase is again divided into two parts, the processing-phasel and the 
processing-phase2. 

4.1 Determination Phase 

The determination phase generates all possible state candidates after the warm-up phase [6] 
is completed. Let t 2 and t 3 denote the number of times the registers R 2 and R 3 are clocked, 
respectively. Every time a register is clocked, increment the counter for that register by one. 
Initialize the algorithm by giving the input of known keystream bits (KS) and guessing all 
bits of the smallest register Ri (Figure 2). 

Processing-Phasel Compute the most significant bits (MSBs) of register R2 and register 
R 3 using the MSB of register R\ and KS bit by Equation 1. If the values of three of these 
bits are known, the fourth can be computed easily by the above equation. If R 2 [21] and 
i? 3 [22] are unknown, then there exist four possible combinations for the unknown bits; i.e. 
00, 01, 10 and 11. But the above equation reduced the number of possibilities to two. The 
two possible combinations that satisfy the equation are: 

- If i?i[18] = KS[i], then R 2 [2l] = R 3 [22] = or i? 2 [21] = R 3 [22] = 1. 

- If i?i[18] 7^ KS[i], then R 2 [2l] = 0, R 3 [22\ = 1 or i? 2 [21] = 1, R 3 [22] = 0. 

This reduces the number of possible cases by half and the number of possible state candidates 
to half. During initialization, i is set to 0, and with every additional clocking round, the value 
of i increases by 1. Note that i also denotes the total number of clocking rounds that have 
taken place. 



INITIALIZE 



Are R 2 [21] AND R 3 [22] filled? 



YES 



NO 



Is R 2 [21] filled but R 3 [22] filled? 



YES 



Determine R 3 [22] by 
Equation 1 



NO 



Is R 3 [22] filled but R 2 [21] filled? 



Determine R 2 [21] by 
Equation 1 



NO 



Replicate block twice. 
Determine R 2 [21] AND R 3 [22] by Equation 1 . 
Fill each block with a specific valid combination. 



Go to Processing Phase2 



Is t 2 > 10 AND t 3 > 11? 



YES 



TERMINATE 



NO 



Clock registers. Increase counters. 



Equation 1: KS[i] =Ri[18] © R 2 [21] © R 3 [22] 
t2 = no. of times R2 is clocked 
t3 = no. of times R3 is clocked 



Fig. 2. Determination Phase of the Attack (Processing-Phasel) 



Processing-Phase2 Consider the clocking bits of registers R2 and R3. There are three 
possibilities: 

— If i?2[10] is filled and i? 3 [10] is vacant, then replicate the state candidate twice, fill one 
copy with i?3[10] = 0, and the other copy with i?3[10] = 1 

— If i?2[10] is vacant and #3 [10] is filled, then replicate the state candidate twice, fill one 
copy with .R 2 [10] = 0, and the other copy with #2 [10] = 1 

— If -R2[10] and i? 3 [10] are both vacant, then replicate the state candidate four times, fill 
the first copy with i2 2 [10] = 0, J? 3 [10] = 0; the second copy with i? 2 [10] = 0, R 3 [10] = 
1; the third copy with i? 2 [10] = f, i? 3 [10] = 0; and the fourth copy with i? 2 [10] = f, 
i? 3 [10] = 1. 

Thus, all possible combinations are taken into consideration (Figure 3). 
Now consider the bits i? 2 [20] and i? 3 [21]. If registers R2 and R3 are clocked, then these 
bits will become the new MSBs for their respective registers after clocking. If both these 
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Is R 2 [10] filled but R 3 [10] vacant? 



Replicate Block twice 



Is R 3 [10] filled but R 2 [10] vacant? 



Fill one Block with R 2 [10] = 
Fill other Block with R 2 [10] = 1 



Replicate Block 4 times 



Fill the replicated Blocks accordingly: 
Block 1: R 2 [10] = 0,R 3 [10] =0 
Block2:R 2 [10] = 0,R 3 [10] = l 
Block3:R 2 [10] = l,R 3 [10]=0 
Block 4: R 2 [10] = 1,R 3 [10] = 1 



Replicate Block twice 



Fill one Block with R 3 [10] = 
Fill other Block with R 3 [10] = 1 



AreR 2 [20] ANDR 3 [21] 
filled? 



Now for each Block, do the following: 
If Ri[8] = R2[101 = R3[ 101, then replicate this new Block twice and fill each Block with a 

valid combination for R 2 [201 AND R 3 [211 by Equation2. 
If Ri [81 * R 2 fl01 = R 3 [101, then replicate this new Block twice and fill each Block with a 

valid combination for R 2 [201 AND R 3 [211 by Equation3. 

If R 2 [10] * Ri[8] = R 3 [10], then R 3 [21] = R,[171 © R 2 [211 © KS[i+ll 
If R 3 [10] * R,[8] = R 2 [10], then R 2 [20] = Ri[17] © R 3 [22] © KS[i+l] 

Also, if R 3 [71 is vacant, then duplicate Block twice. 
Fill one Block with R 3 [7] = 0, and other Block with R 3 [71 = 1 



Equation2: Ri[17] © KS[i+l] = R 2 [20] © R 3 [21] 
Equation3: Ri[18] © KS[i+l] = R 2 [20] © R 3 [21] 



Fig. 3. Determination Phase of the Attack (Processing-Phase2) 



bits are vacant, there are four possible combinations for these bits; i.e., 00, 01, 10 and 11. 
But Equation 2 and Equation 3 reduce them to two possibilities. This reduces the number 
of possible cases by half i.e., 50% save. 

If only one of these bits is vacant, there are two possibilities for the vacant bit i.e., or 
1. But this is reduced to only one possibility (Figure 3). For example, if i?2[10] 7^ Ri[8] = 
R 3 [10], then i? 3 [21] = i?i[17] ® #2 [21] KS[i + 1]. In this case, only #3 [21] is unknown. 
This bit can be calculated by the above equation. Here, two possibilities for i?3[21] reduce 
to only one possibility. This reduces the number of cases by half. 



Follow this protocol till t 2 < 10 and t 3 < 11. Once this condition is not satisfied, i.e., the 
first time t 2 > 10 and t 3 > 11, stop. At this moment, registers R 2 and R 3 are completely 
determined for the known KS and register Ri . The number of bits between the clocking bit 
(CB) and the MSB for register R 2 is 10 and for register R 3 is 11. Hence, register R 2 has to 
be clocked at least 10 times and register R 3 has to be clocked at least 11 times to determine 
all the bits of that register. 

A complete state candidate is a state candidate with all bits filled. The minimum number 
of KS bits required to obtain a set of complete state candidates is eleven. This will happen 
when both registers R 2 and R 3 are clocked together for 10 consecutive clocking cycles and 
register R 3 is clocked again in the next round. 

4.2 Post-Processing-Phase 

The post-processing-phase checks for the key from the set of complete state candidates 
obtained after the determination phase. As discussed in Section 4.1, the minimum number 
of rounds needed to perform the post-processing-phasc is 11. The number of complete state 
candidates increases with every additional round. Hence, the probability of finding the key 
increases with every additional round. 

In this phase we generate output bits by performing normal A5/1 encryption with each 
of the complete state candidates obtained from the determination phase. Match these output 
bits bit-wise with the known KS bits. If the KS bits and output bits match, continue clocking 
and generating output bits till a contradiction of bit-wise matching occurs. If all the output 
bits match the given 64 KS bits, the complete state candidate is the key. Hence, we have 
found the key among all the complete state candidates. 

5 Analysis of the Attack 

We now discuss each phase of the attack step-by-step. After initialization, we perform the 
first step of implementation, i.e., the determination phase. The state candidate has all bits 
of register R\ and registers R 2 and R 3 vacant. According to the protocol, the determination 
phase determines the most significant bits (MSBs) of registers R 2 and R 3 in the processing- 
phasel; the clocking bits of R 2 and R 3 (i.e., i?2[10] and i? 3 [10]), bit R 3 [7] and if possible, 
bits i?2[20] and i? 3 [21] by processing-phase2. 

Now we analyze the first stage of the determination phase i.e., the processing-phase 1. If 
vacant, the MSBs of registers R 2 and R 3 have to be determined. The number of possible 
combinations reduces from four to two by Equation 1. Thus saving two combinations, i.e., 
a 50% save. During the implementation of further rounds, there is a possibility where only 
one of the MSBs of R 2 or R 3 is vacant. We determine these vacant bit(s) by Equation 1. 

We now proceed to processing-phase2 of the determination phase. Here we first consider 
the four vacant bits: R 2 [10] (CB of R 2 ), R 3 [10] (CB of R 3 ), R 2 [20] and R 3 [2l]. But all these 
four bits (except the first step after initialization) may not be vacant together at all times. In 
the following table (Figure 4) , we consider all possible cases of these four bits being empty, 
and the number of maximum possible valid combinations that exist as a result of Equation 
1. We now consider the bit R 3 [7}. There are two possibilities for this bit, i.e., and 1. But 
we cannot eliminate any case by any method. Hence, we need to consider both cases. 



EMPTY? 


CASES 


MAX. 
POSSIBLE 
VALID CASES 


% SAVE 


CB2 


Ri[201 


CB3 


'V^ | £ ^ J 


/ 


/ 


/ 




16 


6 


62.5 


V 


V 


V 




Q 
o 


MA 

1> / \ 


NA 


V 


V 




V 


Q 
o 




OZ.J 


f 

V 




f 

V 


f 
V 


Q 
O 


/I 

4 






V 


f 
V 


f 
V 


Q 
O 


J 


oz.j 


f 

V 


V 






/I 


z 


DU 


f 

V 




V 




/I 


NT A 

IN A 


XT A 
IN A 


V 






J 

V 


/I 
4 


z 






/ 




/ 


4 


z 


JU 




/ 


/ 




4 


NA 


NA 




/ 




/ 


4 


2 


50 






/ 


/ 


4 


2 


50 


/ 








2 


2 







/ 






2 


1 


50 






/ 




2 


NA 


NA 








/ 


2 


1 


50 




















Fig. 4. All possibilities during Processing-Phase2 



Whenever the CB of register R3 is vacant, the bit i?3[21] has to be vacant too. Hence there 
are some cases in the following table which are not applicable (NA). The last column depicts 
the percentage of the total possible cases that are discarded due to the attack algorithms. 

In the determination phase, a total of 7 bits (i.e., i? 2 [21], i? 2 [20], i? 2 [10], #3 [22], #3 [21], 
i?3[10] and # 3 [7]) have to be determined. These 7 bits would have 2 7 = 128 possible com- 
binations. But our algorithms give only 24 valid possible combinations. Thus saving 104 
combinations i.e., a saving of 81.25%. 

If J? 3 [7] is not considered, the first round of implementation will always generate 12 state 
candidates. On an average, the second round generates 60 state candidates and the third 
round generates 300 state candidates. The number of state candidates (till round 10) can be 
approximated by the formula 12*5™ _1 , where n denotes the n th round, n G Z + , n < 11. It is 
only after the 11 th round that we will get the first set of complete state candidates (with all 
registers full). When bit i? 3 [7] is taken into consideration, the first round of implementation 
will always generate 24 state candidates. From round three to round ten, the number of 
possible state candidates after every round is approximately five times the total number in 
the previous round. 



6 Discussion 



We discuss in detail a probabilistic approach to determine the time complexity, the storage 
requirement and success probability of our new attack. The results of this probabilistic 
approach are also corroborated by experimental data. According to these results, the average 
number of rounds necessary to get the key is 15.5 and the average number of complete state 
candidates obtained after 15.5 rounds is 2 48 5 . 

We conclude this section with a comparison of our attack implementation results with 
the guess-and-determine attacks already known. 

6.1 Time complexity 

Now we understand the exact time-complexity of our attack algorithm. According to the 
algorithm, work done is during: 

— Checking to see if a cell in a register is vacant or full 

— Replication of state candidates 

— Filling up vacant bits 

It is reasonable to assume that the checking and filling of bits take negligible amount of time. 
Hence, we can safely assume that the unit of our time complexity measurement should be 
the number of replications needed, where one unit of time is one replication. The algorithm 
starts with registers R 2 and i?3 vacant and register R\ filled (guessed). At the end, it creates 
about 2 48 5 complete state candidates, i.e., 2 48 5 replications. 

The number of bits between the clocking bit (CB) and the most significant bit (MSB) for 
register R 2 is 10 and for register i? 3 is 11. Hence, the number of times the registers R 2 and R% 
have to be clocked to determine all the bits of that register is at least 10 and 11 respectively. 
The minimum number of KS bits required to obtain a set of complete state candidates (with 
no vacant bits) is 11. This will occur when both registers R2 and R3 are clocked together 
for 10 consecutive clocking cycles and register R 3 is clocked again in the following round. 
With every clocking round, the number of complete state candidates increases. Hence, the 
probability of finding the key increases with every additional round of clocking, after 11 
rounds. 

According to the majority function of the clocking rule for the A5/1, a register will get 
clocked 3 out of 4 times. At every clocking cycle, at least two registers will get clocked. Let 
ni be the event that registers R 2 and R 3 are clocked together, and n 2 be the event that 
register R\ is clocked either with register R 2 or with register R3. The probabilities that 
events n\ and n 2 occur arc given by P(n\) and P{n 2 ) respectively. Let n' 2 be the event that 
only registers R\ and R 2 are clocked. Let n 2 be the event that only registers R\ and R3 
are clocked. The probabilities that events n' 2 and n 2 occur are given by P(n' 2 ) and P (n'2) 
respectively. Hence, one concludes that P(ni) — P(n 2 ) — |. Thus: 

P(m) + P(n 2 ) = 1 and P(n 2 ) = P(n> 2 ) + P{n' 2 r ) = \ + \- (2) 

i.e., 

P( ni ) + P(n' 2 ) + P(n' 2 r ) = 1 



Registers R 2 and R3 have to be clocked at least 10 and 11 times respectively to determine 
all bits of that register, i.e., to obtain a set of complete state candidates. We assume that 
they were clocked n\ or n 2 respectively for the attack to stop. 

Let X be the random variable denoting the number of clocking cycles needed to obtain 
complete state candidate. Let x\ be the number of clocking cycles needed for event n\, x 2 
for n' 2 and X3 for n 2 . Here, xi — 10, x 2 = 10 and x 3 = 11. Then the expectation for this 
variable X is defined as 

= xi * P(ni) + x 2 * P(n' 2 ) + x 3 * P(n' 2 ') 
[ 1 P( ni ) + P{n' 2 ) + P«) 

10* I +2* (10* ^ + 11* |) _ 

- 1,1,1 - ib - b 

2 ~r 4 ' 4 

An Experiment We implement normal encryption of A 5/1 using random inputs for all 
three registers. The aim of this experiment is to determine the average number of clocking 
rounds needed for register R 2 and R3 to be clocked at least 10 and 11 times respectively. 
We performed this experiment thrice, each time with 250 inputs. The average number of 
clocking rounds needed turned out to be 15.51 with a standard deviation of 1.785. Hence, 
the experimental results corroborate with the theoretical proof. 

So we conclude, that the minimum number of clocking cycles necessary to obtain a set 
of complete state candidates is 11, and after 15.5 rounds there is a very high probability 
that the set of complete state candidates contain the key. Experimental results show us that 
after 11 rounds we get about 2 40 complete state candidates. 



6.2 Storage Requirement and Success Probability 

As discussed in Section 4.1, the minimum number of KS bits required to generate a set of 
complete state candidates (all bits filled) is 11. With every additional clocking round, the 
number of complete state candidates increase. We can start the post-processing-phase of the 
attack after round 11 simultaneously with the determination phase of the attack. Hence, the 
probability of finding the key also increases with every round. But we require at least 64 KS 
bits for the post-processing-phase of the attack to check for the key. 

In Table 2, we describe the data obtained from our humble experiments with this at- 
tack. The four columns of the table are: number of clocking rounds; total number of state 
candidates obtained after that round; total number of complete state candidates obtained; 
and the percentage of complete state candidates over the total number of state candidates 
for that particular round. All values of the experimental data in the table are approximated 
to one decimal place. 

Remark: In each round, the number of possible choices reduce to at least half of the number 
for an exhaustive search (refer Figure 4). Hence, a minimum saving of 50% takes place 
in every round over exhaustive search (all possible choices). As stated in Section 6.1, the 
average number of rounds to get the key is around 15.5. In each round, we save at least half 
the possible cases. Hence for 15.5 rounds we save (|) 15 ' 5 cases. Thus, the average number of 
complete state candidates obtained after 15.5 rounds will be (2 64 )(|) 15 - 5 = 2 48 5 . The key 



Table 2. Storage Requirement and Success Probability 



No. of Rounds Total State Candidates Complete State Candidates ^^f 2 x 100 



11 


2 4b.2 


2 39.2 


1.6% 


12 


246.0 


2 42.5 


9.0% 


13 


2 46.7 


2 44.5 


22% 


14 


246.9 


2 45.3 


30% 


15 


247.1 


246.1 


50% 



would be among the set of complete state candidates obtained after the 15th round, with a 
probability higher than 50%. 

Storage For each guess of 19 bits of register we require storage of 100MB to determine 
registers i?2 and i?3 and the known keystream KS. If we do not find the key for this choice of 
19 bits for register then we discard this guess and make a new guess for register R 1 . In 
the worst case scenario, we would check all 2 19 possible choices for register R\. The attack 
has a 100% success probability and requires about 5.65GB storage. 

Comparison of the known guess-and-determine attacks on the A5/1 We conclude 
this section with a comparison of our attack with other guess-and-determine attacks already 
known. The following table (Table 3) lists the necessary amount of known keystream bits 
(KS), the time complexity and the success probability for each attack. 



Table 3. Comparison of the known guess-and-determine attacks on the A5/1 



Attack 


KS bits 


Time 


Success 


Notes 






complexity 


probability 


Storage 


Anderson's Attack[l] 


64 


2 b2 


100% 




Colic's Attack[ll] 


64 


240.16 


100% 


Additionally solve 64x64 










Linear System of Equations 


Biham-Dunkelman's Attack[4] 


220.8 


2 47 


63% 




Keller-Scitz's Attack[13] 


64 


251.24 


18% 




GNR's Attack[10] 


64 


254.02 


100% 




BSW's Attack[5] 


64 


2 48 


60% 




Our Attack 


64 


2 48.5 


100% 


5.65GB 



7 Conclusion 

Our attack is based on the guess-and-determine approach proposed by Anderson [1], but 
with several modifications. In this attack, all bits of the first register R\ are assumed to 
be known and all bits of registers i?2 and R3 are determined with 64 bits of the known 
keystream (KS). 



This attack has an average time complexity of 2 48 5 , which is much smaller than an 
exhaustive search. The average number of rounds necessary to obtain the correct key from 
the set of complete state candidates is 15.5. With every round of clocking after 11 rounds, 
the number of complete state candidates increases. Thus, the probability of finding the 
key increases with every clocking round. One can do the post-processing phase for a round 
simultaneously with the determination phase for the next round, and thus save time. The 
attack is successful with 100% probability and requires about 5.65GB storage. With this we 
conclude that our attack is better than all known guess-and-determine attacks on the A 5/1 
stream cipher. 
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